机构地区:[1]National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing 101408, China [2]National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100029, China [3]Beijing Electronic Science and Technology Institute, Beijing 100070, China [4]State Key Laboratory of Information Security, Institute of information Engineering, Chinese Academy of Sciences, Beijing 100093, China
出 处:《Science China(Information Sciences)》2017年第5期206-221,共16页中国科学(信息科学)(英文版)
基 金:supported in part by National Information Security Special Projects of National Development and Reform Commission of China (Grant No. (2012)1424);National Natural Science Foundation of China (Grant Nos. 61572460, 61272481, 61303239);Open Project Program of the State Key Laboratory of Information Security (Grant No. 2015-MS-04)
摘 要:Input validation vulnerabilities are common in Android apps, especially in inter-component communications. Malicious attacks can exploit this kind of vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at the source code level for app developers aiming to detect input validation vulnerabilities in Android apps. In this paper, we propose a novel approach for detecting input validation flaws in Android apps and we implement a prototype named Easy IVD, which provides practical static analysis of Java source code.Easy IVD leverages backward program slicing to extract transaction and constraint slices from Java source code.Then Easy IVD validates these slices with predefined security rules to detect vulnerabilities in a known pattern.To detect vulnerabilities in an unknown pattern, Easy IVD extracts implicit security specifications as frequent patterns from the duplicated slices and verifies them. Then Easy IVD semi-automatically confirms the suspicious rule violations and reports the confirmed ones as vulnerabilities. We evaluate Easy IVD on four versions of original Android apps spanning from version 2.2 to 5.0. It detects 58 vulnerabilities including confused deputy attacks and denial of service attacks. Our results prove that Easy IVD can provide a practical defensive solution for app developers.Input validation vulnerabilities are common in Android apps, especially in inter-component communications. Malicious attacks can exploit this kind of vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at the source code level for app developers aiming to detect input validation vulnerabilities in Android apps. In this paper, we propose a novel approach for detecting input validation flaws in Android apps and we implement a prototype named Easy IVD, which provides practical static analysis of Java source code.Easy IVD leverages backward program slicing to extract transaction and constraint slices from Java source code.Then Easy IVD validates these slices with predefined security rules to detect vulnerabilities in a known pattern.To detect vulnerabilities in an unknown pattern, Easy IVD extracts implicit security specifications as frequent patterns from the duplicated slices and verifies them. Then Easy IVD semi-automatically confirms the suspicious rule violations and reports the confirmed ones as vulnerabilities. We evaluate Easy IVD on four versions of original Android apps spanning from version 2.2 to 5.0. It detects 58 vulnerabilities including confused deputy attacks and denial of service attacks. Our results prove that Easy IVD can provide a practical defensive solution for app developers.
关 键 词:input validation static analysis program slicing vulnerability detection Amdroid security
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
